Key rate of quantum key distribution with hashed two-way classical communication* 
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I. INTRODUCTION 

Quantum key distribution (QKD) protocols provide a 
way for two parties, a sender, Alice, and a receiver, Bob, 
to share an unconditionally secure key in the presence 
of an eavesdropper, Eve. Unlike conventional schemes 
of key distribution that rely on unproven computational 
assumptions, the security of QKD protocols is guaranteed 
by the principles of quantum mechanics. 

QKD protocols usually consist of two parts, a quantum 
and a classical part. Alice sends a binary sequence to Bob 
in the quantum part by encoding it into quantum states 
that are randomly chosen from a set of non-orthogonal 
states. Since unknown non-orthogonal states cannot be 
cloned perfectly, any eavesdropping attempt by Eve will 
disturb the transmitted quantum states. Thus, by esti- 
mating the error rate of the transmitted quantum states, 
Alice and Bob can estimate the amount of information 
that Eve has gained. For the sequence that remains after 
the error estimation phase, which is usually called the 
raw key, Alice and Bob first carry out an information 
reconciliation (IR) protocol [l[ to share the same bit se- 
quence. Alice and Bob then distill the final secure key 
by conducting a privacy amplification (PA) protocol [|J • 

The best-known QKD protocols are the Bennett- 
Brassard 1984 (BB84) protocol d and the six-state pro- 
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tocol Q. The unconditional security of the BB84 pro- 
tocol has been proved @, H, 0- Shor and Preskill § 
presented a simple proof of the BB84 protocol by show- 
ing that the QKD protocol that uses the entanglement 
distillation protocol (EDP) [|,[lo| can be converted into 
the BB84 protocol. After that, the unconditional secu- 
rity of the six-state protocol was proved [ll|_bv using the 
same technique as Shor and Preskill used @- Recently, 
the security of generic QKD protocols that include the 
BB84 protocol and the six-state protocol has been proved 
[I2I Ha . HH , which are based on information theoretical 
techniques instead of Shor and Preskill's technique. 

In addition to the security of QKD protocols, the key 
rates of QKD protocols are also important, where the key 
rate is defined by the ratio of the length of the final se- 
cure key to the length of the raw key. Gottesman and Lo 
(l5| converted EDPs that use two-way classical commu- 
nication into QKD protocols that use the same commu- 
nication. More specifically, they proposed preprocessing 
that uses two-way classical communication. By insert- 
ing this two-way preprocessing before the conventional 
one-way IR protocol, the key rates of QKD protocols are 
increased when the error rate of a channel expressed as a 
percentage is more than about 9 %. Indeed, the tolerable 
error rate of the BB84 protocol is increased from 11 % 
to 18.9 %, and that of the six-state protocol is increased 
from 12.7 % to 26.4 %, where the tolerable error rate is 
the error rate at which the key rate becomes zero. Chau 
later showed that the two-way BB84 protocol can tol- 
erate 20.0 % error rate, and that the two-way six-state 
protocol can tolerate 27.6 % error rate [l6| . Recently, 
this kind of two-way preprocessing has been a pplie d to 
QKD protocols with weak coherent pulses [17|, LL8|. It 
should be noted that this preprocessing is also known 
within the classical key agreement context, in which it 
is usually called an advantage distillation protocol fl9| |. 
Bae and Acm and Acin et al. 0, [2l| extensively studied 
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the noise tolerance of QKD protocols with advantage dis- 
tillation protocols, on the other hand, we are interested 
in the key rates of QKD protocols in this paper. 



Vollbrecht and Vestraete proposed a new type of two- 
way EDP [22j . This protocol uses previously shared EPR 
pairs as an assistant resource (two-way breeding EDP), 
and the distillation rate of this EDP exceeds that of one- 
way EDPs for a whole range of fidelities, where a fidelity 
is that between the initial mixed state and the EPR pair. 
Using the fact that a breeding EDP can be converted into 
a QKD protocol assisted by one-time pad encryption with 
a pre-shared secret key [23], Vollbrecht and Vestraete's 
two-way breeding EDP _22| was converted into a two- 
way QKD protocol assisted by one-time pad encryption 
(171 |24| . The key rate of the converted QKD protocol is 
higher than that of one-way QKD protocols [1, |Tl[ for 
a whole range of error rates. It should be noted that 
the use of a pre-shared secret key is not the basis of their 
improvement, because any QKD protocol that makes use 
of a pre-shared key can be transformed into an equally 
efficient protocol that does not need a pre-shared secret 
key M- 



We propose an IR protocol that uses two-way classi- 
cal communication in this paper. Our proposed protocol 
is based on Vollbrecht and Vestraete's idea of two-way 
breeding EDP 22], but does not require any pre-shared 
secret keys. Furthermore, our protocol does not leak 
information that is redundantly leaked to Eve [Tt], l24j . 
More precisely, in these protocols [13, 0] , Alice sends a 
redundant message that is useless to Bob, but is useful 
to Eve. However, in the proposed protocol, Alice does 
not send that redundant information. As a result, for 
the BB84 and six-state protocol, the key rates of the 
QKD protocols that use our IR protocol are higher than 
those of previously known protocols for a wide range of 
error rates. Especially, the key rate of our protocol is 
higher than those of known protocols [1, [ll], [H, [24[ for 
the whole range of error rates. We also show the relation 
between the proposed protocol and the advantage dis- 
tillation protocol, i.e., the B-step of Gottesman and Lo 
[H| (Remark d]). We also show the relation between the 
proposed QKD protocol and Vollbrecht and Vestraete's 
EDP. As a results, it turns out that there does not seem 
to be any EDP that corresponds to our proposed protocol 
(Remark [5]) . 



The rest of this paper is organized as follows. Section 
HT1 proposes a two-way IR protocol. Section IIIII presents 
the key rate formula of the QKD protocol that uses our 
proposed IR protocol. There is a proof of the key rate 
formula in the Appendix [D] Section IIVI presents the key 
rate formula as a function of error rate. The proof of this 
formula is presented in Appendix [El 



II. TWO-WAY INFORMATION 
RECONCILIATION PROTOCOL 

We propose an IR protocol that uses two-way classical 
communication (called two-way IR protocol after this) in 
this section. When Alice and Bob have correlated classi- 
cal sequences, x, y 6 F^™, the purpose of IR protocols for 
Alice and Bob is to share the same classical sequence by 
exchanging messages over a public authenticated chan- 
nel, where F2 is the field of order 2. Here, we assume 
that the pair of sequences (x, y) is independently iden- 
tically distributed (i.i.d) according to a joint probability 
distribution, Pxy, on F2 x F2. 

Let us review some notations for a linear code to de- 
scribe our IR protocol. An [n,n — m] linear code, C n ,m, 
is an (rt — 77i)-dimensional linear subspace of ¥ 2 . Then, 
a parity check matrix, Mq„ m , of code C n ^ m is an m x n 
matrix of rank m with 0, 1 entries such that cAlJ = 
for any c 6 C n ,m, where Mq is the transpose ma- 
trix of Mc n m • A decoder, gc n m , of code C n , m is a map 
from a syndrome, t £ F™, to an error, e 6 2?(t), where 
T>(t) := {e e F§ | e Mc n m = * s ^ e set of errors whose 
syndromes are t. After this, we will assume that a lin- 
ear code is implicitly specified with a parity check matrix 
and a decoder. 

We need to define some auxiliary random variables to 
describe our IR protocol. Let £1 : F| — > F2 be a func- 
tion defined as £i(<ii, 0,2) '■= cti + 0,2 for a\, 0,2 S F2, and 
let £2 : F| F2 be a function defined as £2(0,0) := a 
and £2(0,1) := for a e F2. For a pair of joint 
random variables ((Xi,Yi), (X 2) Y 2 )) with a distribu- 
tion, P XY i define random variables U\ := £i(Vi,V 2 ), 
V\ := £i(Yi, Y 2 ) and W\ := U\ + V\. Furthermore, define 
random variables U 2 := £2(^2, W\), V 2 := &(Y 2 ,Wi) 
and W% := U 2 + V 2 . For the pair of sequences, x = 
(xn,x 12 ,...,x n i,x n2 ) and y = (yn, y 12 , . . . , y n i, Vni), 
which is distributed according to the product distribu- 
tion, Pxy, let u, v and w be 2n-bit sequences such that 

Ma := £1(^1,^2), vn := €i(ya,yi2), wn := uu + vu 
and 

u l2 ■= £2(^2,^1), v i2 := £2(2/42,1^1), w l2 := u i2 + v i2 

for 1 < i < n. Then, the pair (u, v) is distributed 
according to the distribution, Pu l u 2 v 1 v- 2 i ano - ^ ne °-i s " 
crepancy, w, between u and v is distributed accord- 
ing to the distribution, Pyy 1 w 2 ' ^ or sequence w, let 
Tb := {j I 1 < j < n, Wji = b} be the set of indices 
of blocks such that the parities of the discrepancies are 
b. For the subsequence, 112 := (^12, ■ ■ ■ , u n2 ), let U2,t 6 be 
the subsequence that consists of the i-th bit of 112 such 
that i £ Tj. 

Well-known methods [TH, Q1J [22j of two-way process- 
ing within the key distillation context have been to clas- 
sify blocks of length 2 according to the parity, Wa, of 
the discrepancies in each block. In conventional two- 
way processing of the key distillation protocols [l^ , 
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which is so-called advantage distillation protocols, Al- 
ice sends the parity sequence, ii! := (un, . . . , u n i), 
to Bob so that he can identify the parity sequence, 
wi := (u>h, • • • > w n i), of the discrepancies. Then, Al- 
ice and Bob discard Ui and vi := (i>n, . . . ,v n i) respec- 
tively, because ui is revealed to Eve. Furthermore, Al- 
ice and Bob discard the second bit of the i-th block, if 
the parity of the discrepancies is 1, i.e., i € Ti. Fi- 
nally, Alice and Bob undertake an error correction pro- 
cedure for the subsequences (u 2iTo j v 2,To)- More pre- 
cisely, Alice sends the syndrome, t 2 := u 2 .t M ( J m , 
for the prescribed [no, m ]-linear code, and then Bob de- 
codes w 2 T n : = Qc„ m (t2 +V2.T n -Mj ) and obtains 

' U "0 ' 1 ^ TlQ , T7XQ ' 

v 2,t + w 2j t j where n := |T | is the cardinality of the 
set, T . 

Our two-way IR protocol, which is based on Vollbrecht 
and Vestraete's idea of two-way EDP [22|, is quite similar 
to the previously described two-way processing except for 
one significant change. As is usual in information theory, 
if we allow negligible error probability, Alice does not 
need to send the parity sequence, Ui, to Bob to identify 
parity sequence wi. More precisely, Bob can decode wi 
with negligible decoding error probability if Alice sends 
a syndrome, ti := U\M^ , for a linear code such that 
the rate is *2 ~ H(P Wl ) '0, Corollary 2]. Since Eve's 
available information from syndrome t! is much smaller 
than that from sequence Ui itself, our IR protocol is more 
efficient than the above-mentioned two-way processing in 
most cases, which will be discussed in Section [TV] Our 
IR protocol is formally executed as follows, where the 
tilde ""and hat "on a sequence, a set or a number indicate 
that they are guessed versions of those without these su- 
perscripts. Note that the inputs of the IR protocol are 
Alice's bit sequence x and Bob's bit sequence y, and the 
outputs of the IR protocol are a sequence, u, guessed by 
Alice and a sequence, u, guessed by Bob. 

(i) Alice locally computes Ui and Bob does the same 
for Vi. 

(ii) For a prescribed [n, n — m] linear code, C n . m , Alice 
sends syndrome ti = UiM<J ^ to Bob. 

(iii) Bob decodes wj := 5c n , m (ti+ViMj ), and sends 
wi to Alice. 

(iv) Alice computes u 2 . If the number, no :— \{i \ 
wn = 0}|, of blocks such that the guessed par- 
ity, wn, of the discrepancies is does not satisfy 
Ro — n o < no for prescribed integers, n and no, 
then Bob randomly guesses & 2 f o . Otherwise, Al- 
ice sends the syndrome, t 2 := u 2 j o Mc flg Ao , for a 
prescribed [rig, h — mo] linear code, Cft 0i m . 

(v) Bob decodes w -f := an. - (to + v„ i MJ ), 
and obtains u„ -j. := v ^ + w„ -f . 

A I o A ' o A I o 



Note that u 2 f and v 2 f are set to all Os in our pro- 
tocol, which is mathematically equivalent to discarding 
them. 

According to the universal channel coding theorem for 
the linear code [H, Corollary 2], rates ^ = H(P Wl ) + S 
and — H(P W2 \ Wl=Q ) + S for small S > are sufficient 
for Bob to decode wi and w 2 ,j with negligible decoding 
error probability. Furthermore, we set rig := n(Pw 1 (0) — 
S) and n := n(/Vi (1) +6) to satisfy the condition, n Q < 
no < no, in Step |rv|) with high probability. 

Remark 1 Since we cannot estimate the probability dis- 
tribution of error exactly in QKD protocols and the 
actual distribution fluctuates around the estimated er- 
ror distribution, universality of codes is required. Even 
though the distribution of errors in the QKD protocols 
are not necessarily i.i.d., it is sufficient to consider a uni- 
versality condition on codes for the i.i.d. case. More 
precisely, it is sufficient to use a linear code such that 
the decoding error probability of the linear code is uni- 
versally small for any binary symmetric channel whose 
crossover probability is close to the estimated error rate. 
Such observations were first pointed out by Hamada [13] • 
Efficiently decodeable linear codes such as the low den- 
sity parity check matrix code [28| and the turbo code [29[ 
satisfy this condition. 

III. SECURITY OF QKD AND KEY RATE 

This section presents the asymptotic key rate of QKD 
protocols that employs the IR protocol proposed in Sec- 
tion[TTl The as ym ptotic key rate is derived by the security 
proof method [13, 0, d • 

We implement a prepare and measure scheme in a prac- 
tical QKD protocol. However, when we analyze the secu- 
rity of a QKD protocol, it is usually more convenient to 
consider its entanglement-based version. Without com- 
promising security, we can assume that Alice and Bob's 
raw keys and bit sequences for error estimation are ob- 
tained by measuring a bipartite state, Pa n b n i on an N 
pair of bipartite systems (Ha ® Hb)® N , that pan b n is 
invariant under the permutation of the systems [421 ] , and 
that Eve can access Tr^s B iv [pa]Lbj±e n ] f° r a purification 
Panb n e n oipA N B N (see also [12|,[l3|). The specific form 
of p A N b n depends on which scheme Alice and Bob em- 
ploy to transmit a binary sequence, noise in the channel, 
and Eve's attack. From [3, Lemma 4.2.2], without loss 
of generality, we can assume that purification Pa n b n e n 
lies on the symmetric subspace of (Ha <S> H b ® He)® n , 
because any purification can be transformed into another 
purification using Eve's local operation. 

Before the protocol is started, Alice and Bob discard 
the last k subsystems, 7i® fc (8 H^ k , for technical rea- 
sons of security proof. More specifically, k subsystems 
are discarded to apply the de Finetti style representa- 
tion theorem [3, Theorem 4.3.2] (see also [3(|) in the 
security proof. Therefore, we set N := 2n + m + k. 
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Then, Alice and Bob conduct the protocol for the state, 
p A 2n+m B 2n+m := Tr^, [p A N b n ] , where k is the number of 
discarded systems, m is the number of systems for param- 
eter estimation, and 2n is the number of systems that are 
used for key distillation. 

First, Alice and Bob undertake the following parameter 
estimation protocol for the last m-subsystems of the state 
p A 2n+ mB 2-n+ m . The parameter estimation protocol is con- 
ducted to estimate the number of discrepancies between 
Alice and Bob's raw keys, and the amount of information 
that Eve has gained by eavesdropping. 

(i) Alice and Bob carry out a bipartite positive opera- 
tor valued measurement (POVM), M := {M a } aeA , 
for each system, Ha <8> Hb, where A is the set of 
measurement outcomes. The specific form of M 
depends on which scheme we use. 

(ii) If the type, P a , of the measurement outcomes, a = 
(01, . . . , a m ), satisfies P a £ Q for a prescribed set, 
<2, the protocol outputs the type, Q := P a , and 
Alice and Bob conduct the key distillation protocol 
according to Q, where the type of sequence a = 
(oi, . . • , a m ) is the frequency distribution defined 
by 

;= |{*|!<*<m, ai = a}\ for a e A 
m 

(for more details on the type, see [3l|, Chapter 11]). 
Otherwise, it outputs "abort" . 

It is convenient to describe the parameter estimation 
protocol using a completely positive (CP) map as fol- 
lows. Let M® m := {M a } a6 ^ m be a product POVM on 
[H A ® H B )® m , where M a = M ai <g> • • • <g> M„ m . Then, we 
can define a CP map, £q, by 

£Q ■ Pra^ ^ TrM aPm, (1) 

which maps the density operator to the probability such 
that the parameter estimation protocol outputs Q, where 
Tq{A) is a set of all sequences on A m with type Q. 

When the output of the parameter estimation protocol 
is Q € <2, Alice, Bob, and Eve's tripartite state is given 
by 

Pa^b^ e n - PpE(g) 

(id j4 2„ B 2„ <g) S Q (gi id B N)(p j4 2„ + mB 2„ + m£ iv), 

where Ppe(Q) is a probability such that the parameter es- 
timation protocol outputs Q, and id denotes the identity 
map on each system. 

Alice and Bob apply a measurement Mxy '■= {M x <g) 
^y}(x,y)ev 2 xv 2 on H-A <8> H B to the remaining 2n sys- 
tems to obtain classical data (raw keys). Then, Alice 
and Bob's measurement results, (x, y) e F| n x W^ 1 , and 



Eve's available information is described by a {ccg}-state 


where we introduce a CP map, £xy, that describes the 
measurement procedure for convenience. 

According to output Q of the parameter estimation 
protocol, Alice and Bob decide the parameters of the 
IR protocol: rate R(Q) := ^ of linear code C„, m , num- 
bers n (Q) and no(Q) that are used in Step (fry)) , and 
rate Ro{Q) '■— ^ of linear code C„ 0jmo for n (Q) < 
no < no(Q). Furthermore, Alice and Bob also decide the 
length, £(Q), of the finally distilled key according to Q. 
According to the determined parameters, a final secure 
key pair is distilled as follows. 

(i) Alice and Bob undertake the two-way IR protocol 
in Section QTJ and Alice obtains u and Bob obtains 
u. 

(ii) Alice and Bob carry out a privacy amplification 
(PA) protocol to distill a key pair (s A ,s B ) such 
that Eve has little information about it. Alice 
first randomly chooses a hash function, / : F| n — > 
{0, 1}^Q), from a family of two- universal hash func- 
tions (refer [3, Definition 5.2.1] for a formal defi- 
nition of a family of two-universal hash functions), 
and sends the choice of / to Bob over the public 
channel. Then, Alice's distilled key is sa = /(u) 
and Bos's distilled key is s B = /(u). 

The distilled key pair and Eve's available informa- 
tion can be described by a {cccg}-statc, P < g A g B cE N "> 
where classical system C consists of random variables 
(Ti,T/2,Wi) that describe the exchanged messages 
(ti,t2,wi) in the IR protocol and random variable F 
that describes the choice of the hash function in the PA 
protocol. To define the security of the distilled key pair 
(Sa, S b ), we use the universally composable security def- 
inition [32l . [33[, which is defined by the trace distance 
between the actual key pair and the ideal key pair. We 
cannot state security in QKD protocols in the sense that 
the distilled key pair (Sa,S b ) is secure for a particular 
output Q of the parameter estimation protocol, because 
there is a slight possibility that the parameter estima- 
tion protocol will not output "abort" even though Eve 
has so much information. The QKD protocol is said to 
be e-secure (in the sense of the average over the outputs 
of the parameter estimation protocol) if 

E P ^Q)\\\p Q s aSb ce» -P Q sT b ®PceA < e, (2) 

where pf™* := J2ses Q f^J I s ' S X S > s l is thc uniformly 
distributed key on the key space Sq := {0, 1}^^. 

To state the relation between the security and the 
asymptotic key rate of the previously mentioned QKD 
protocol, define 

T(Q) := {(Tab \ P° A AB = 0} 
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as the set of two-qubit density operators that are com- 
patible with output Q of the parameter estimation pro- 
tocol, where P^ AB denotes the probability distribu- 
tion of the outcomes when measuring gab with POVM 
M, i.e., P^ B {a) := Tr[M a a A B}- For a purifica- 
tion, a abe j of a density operator, <tab € T(Q), let 
&x 1 x 2 y 1 y 2 e 1 e 2 ■= (£® y ® idl 2 )! "!^) be a {ccg}-state 
that consists of 2-bit pairs ((X\, X2), (Y\, Y2)) and en- 
vironment systems E\,E2- By using functions £1 and 
£2, define random variables (Ui, U 2 , Wi,W 2 ) for the pair 
of bits ((Xi,X 2 ), (Yi, Y 2 )) in the same way as in Section 
HH Then, let ou 1 u 2 w 1 e 1 e 2 and (Tu^WxU^ExE^ be density 
operators that respectively describe the classical random 
variables (U\,U2,W\) and (Ux, U2, W\, U\) with the en- 
vironment system E\,E2. 



Theorem 2 For Q S Q, i.e., the output of the parameter 
estimation protocol such that the QKD protocol does not 
abort, let be the key rate of the protocol. For any 



e > 0, if the key rate satisfies 



< — mm max 

2n 2 a AB er(Q) 



H a (U 1 U 2 \W 1 E 1 E 2 ) 
-H(P Wl ) - P Wl (0)H(P W2lWl=0 ), (3) 
H t7 (U 2 \W 1 U 1 E 1 E 2 ) - PwMH{Pw 2 \w 1= o)\ 

then there exists a protocol that is e-secure in the sense 
of Eq. @ for sufficiently large n, where H P (A\B) :— 
H(par) — H(pb) is conditional von Neumann entropy 
[34j . and H(P) is Shannon entropy (3l| . 



The meaning of the two arguments of the maximum 
in Eq. (J3J) should be noted. The first argument states 
that the key rate is given by the difference between Eve's 
ambiguity, H a {U\U%\ W1E1E2), about Alice's reconciled 
key and the amount, H(P Wl ) + Pw 1 (0)H(P W2 \ Wl=o ), 
of information leaked in the IR protocol. On the 
other hand, since information leaked from the syn- 
drome, ti = UiMq , cannot be more than Ui it- 
self, we can evaluate the key rate under the condi- 
tion that Eve can access Ui itself, i.e., Eve's ambiguity, 
H a ( U2 1 WxUxEiEz), about Alice's reconcilied key and the 
amount, Pw 1 (0)H(P^ 2 iy^ 1 — ) 1 °f information leaked in 
the IR protocol. If either of them is omitted, the key 
rate is underestimated, which will be discussed in Sec- 
tion nn 

Theorem [2] is formally proved by demonstrating the 
above intuition formally, where we use a security proof 
method [H, [HI, [3|. More precisely, we use the tech- 
niques of privacy amplification and minimum entropy, 
and the de Finetti style representation theorem and the 
property of symmetric states (see [3). Since the tech- 
niques used in the proof are not new and involved, we 
give the proof for Theorem [5] in the Appendix. 



IV. ANALYSIS OF KEY RATE 

Here, we analyze the asymptotic key rate formula in 
Theorem [2] More precisely, we derive a specific form of 
the key rate formulas as functions of the error rates for 
the six-state [ij] and BB84 protocols Q. 

Before analyzing the key rate, let us define some nota- 
tions. For x, z e F2, let 

|V(x,z)) := _L(| )|0 + x) + (-l) z |l)|l+x>) 

be the Bell states on two-qubit systems Ha ® . For a 
probability distribution, Pxz, on F2 x F2, a state of the 
form, 

£ Pxz(x,z)|^(x,z))(^(x,z)|, 

x,zSF 2 

is called a Bell diagonal state. We occasionally abbrevi- 
ate P xz (x,z) as p xz . 

Theorem 3 For a Bell diagonal state, gab = 
Ex,zgf 2 p xz(x,z)|?/;(x,z))('i/;(x,z)|, we have 

^ma X [H a {U 1 U2\W 1 E 1 E 2 ) 

-H(P Wl ) - P Wl (0)H(P W2 \w 1=0 ), 
H a (U2\W 1 U 1 E l E2) - P Wl (0)H(P W2lWl=0 )} 
= max[l-if(fxz) 

p x( l ) , ( P00P10 +P01P11 



+ 



- " \(poo +Z>oi)(Pio +P11) 
^(l-H(P^m 



(4) 



where h(ja) := — plogp — (1 — p) log(l — p) is the binary 
entropy function, 

-Px(O) : = (POO +P0l) 2 + (PlQ +Pll) 2 , 

Pxi 1 ) '■= 2 (Poo +Poi)(pio + P11), 



and 



P00+P01 



i$z(0,0) := 

J*z(0,l) := 
^xz(M) ■■= 



The theorem is proved by a straight forward calculation. 
Thus, the proof is presented in the Appendix E. 

The six-state protocol [I[ uses three different bases de- 
fined by 2 -basis {|0 Z >, |l z )}, x-basis {l/%/2(|0 z ) ± |1 2 ))}, 
and y-basis {l/y^(|0 z ) ± i\l z ))}. When Alice and Bob 
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FIG. 1: (Color online) Comparison of the key rates of the 
six-state protocols. "Proposed" is the key rate of the six- 
state protocol that uses the proposed IR protocol. "Vollbrecht 
et al." is the key rate of the two-way six-state protocol of 
[I?], HH]. "B-step" is the key rate of the two-way six-state 
protocol of [l5|]. "One-way" is the key rate of the one-way 
six-state protocol with the noisy preprocessing [l3l | . It should 
be noted that the key rates of two-way six-state protocols 
of [l4l , [l5l . are slightly higher than that of the proposed 
protocol for much higher error rate. 

obtain an error rate, e, the set T(Q) consists of states 
whose Bell diagonal entries Poo, Pio, Poi, Pi 1 satisfy con- 
ditions pio + pn = e, poi + pn = e, and p 01 + p 10 = 
e. Together with the normalization condition, we find 
Poo = 1 — and pxo = Poi = P11 = f ■ Since it is suffi- 
cient only to minimize over the Bell diagonal states (see 
the Appendix F), the key rate of the six-state protocol 
for the error rate e is given by substituting poo = 1 — % 
and pxo — poi = pn = § into Eq. ((4]). The key rate of 
the six-state protocol that uses the proposed IR protocol 
is plotted in Fig. [T] 

The BB84 protocol is similar to the six-state protocol, 
but only uses the z-basis and the x-basis to transmit a 
bit sequence. Thus, we only obtain two conditions on 
the four coefficients poo,Pio, Poi, Pit- Thus, the set T(Q) 
consists of states whose Bell diagonal entries satisfy con- 
ditions pio + pn = e and poi + Pn = e - The resulting 
candidates for Bell diagonal states in T(Q) have coeffi- 
cients poo = 1 - 2e + pn, pio = Poi = e - pn, and 
Pn £ [0, e], and we have to minimize the key rate for- 
mula of Eq. Q over the free parameter, pn £ [0, e]. The 
key rate of the BB84 protocol that uses the proposed IR 
protocol is plotted in Fig. [51 

Remark 4 By using the chain rule of von Neumann en- 
tropy, we can rewrite the l.h.s. of Eq. (0J as 

^{maxiH^UxlWxExE^ - H(P Wl ),0] 

^{U^WxUxExEz) - P Wl (0)H(P W2lWl=0 )}- (5) 

We can interpret this formula as follows. If Bob's ambi- 
guity, H(Pw 1 ), about bit Ux, i.e., the amount of trans- 
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FIG. 2: (Color online) Comparison of the key rates of the 
BB84 protocols. "Proposed" is the key rate of the BB84 pro- 
tocol that uses the proposed IR protocol. "Vollbrecht et al." 
is the key rate of the two-way BB84 protocol of [l7], HH ■ "B- 
step" is the key rate of the two-way BB84 protocol of [l5l ] . 
"One-way" is the key rate of the one-way BB84 protocol with 
the noisy preprocessing 



mitted syndrome per bit, is smaller than Eve's ambiguity, 
Hg { Ui I Wx Ex E 2 ) , about bit Ux, then Eve cannot decode 
sequence Ui [39 . [36J, and there exists some remaining 
ambiguity about bit Ux for Eve. We can thus distill some 
secure key from bit Ux ■ On the other hand, if Bob's am- 
biguity, H{Pw 1 ), about bit Ux, i.e., the amount of trans- 
mitted syndrome per bit, is larger than Eve's ambiguity, 
Ha{U\\W\EiE2), about Ux, then Eve might be able to 
decode sequence Ui from her side information, Wx, Ex, 
E2, and the transmitted syndrome [35L [36|. Thus, there 
exists the possibility that Eve can completely know bit 
Ux, and we can distill no secure key from bit Ux, because 
we have to consider the worst case in a cryptographic 
scenario. Consequently, sending the hashed version (syn- 
drome) of sequence Ui instead of Ui itself is not always 
effective, and the slopes of the key rate curves in Figs. [1] 
and [5] change when Eve becomes able to decode Ui. 

The second and third terms of Eq. ([5]) are the same 
as the key rate formula of the protocol that uses Gottes- 
man and Lo's B-step fl5j followed by error correction 
and privacy amplification. Even though Alice sends the 
sequence Ui itself instead of its hashed version in the B- 
step, the key rate of the protocol with the B-step is equal 
to that of the proposed protocol for high error rates, be- 
cause Eve can decode sequence Ui from her side infor- 
mation and the transmitted syndrome. 

Remark 5 The yield of Vollbrecht and Vestraete's EDP 
[2^ | and the key rate of the QKD protocols [13, HI are 
given by 
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We can find by the concavity of the binary entropy func- 
tion that the first argument in the maximum of the r.h.s. 
of Eq. (j4j is larger than the value in Eq. ([6|) . To explain 
why the ke y ra te of the proposed protocol is higher than 
that of fl7U24l]. we need to review the EDP [22I] by using 
the notations in Section HU Assume that Alice and Bob 
share Bell diagonal states, <j\^b ■ First, Alice and Bob di- 
vide 2n pairs into n blocks of length 2, and locally carry 
out CNOT operation on each block, where the 2i-th pair 
is the source and (2i — l)-th pair is the target. Then, Al- 
ice and Bob undertake the breeding protocol [§] to guess 
bit flip errors in the (2i — l)-th pair for all i. The guessed 
bit flip errors can be described by a sequence, wi. Note 
that two-way communication is used in this step. Ac- 
cording to sequence wi, Alice and Bob classify indices of 
blocks into two sets, To and Ti. For a collection of 2i-th 
pairs such that i S T , Alice and Bob conduct the breed- 
ing protocol to correct bit flip errors. For a collection 
of 2i-th pairs such that i G Ti, Alice and Bob perform 
measurements by {|0 Z ), |l z )} basis, and obtain measure- 
ment results, x 2 j and y 2 j . Alice sends x 2 j to Bob. 
Alice and Bob correct the phase errors for the remaining 
pairs by using information To and Ti, and bit flip error 

x 2j, + y2.tr 

If we convert this EDP into a QKD protocol, the differ- 
ence between that QKD protocol and ours is as follows. 
In the protocol converted from [22j , after Step (jm|) , Alice 
reveals the sequence, x 2 ^ , which consists of the second 
bit, Xi2, of the i-th block such that the parity of dis- 
crepancies Wi\ is 1. However, Alice discards x 2 j in the 
proposed IR protocol of Section [TTJ Since sequence x 2 ^. 
has some correlation to sequence Ui from the view point 
of Eve, Alice should not reveal x 2 ^ to achieve a higher- 
key rate. 

In the EDP context, on the other hand, since the bit 
flip error, x 2 ^. +y 2 ^ , has some correlation to the phase 

flip errors in the (2i— l)-th pair with i G Ti, Alice should 
send the measurement results, x 2 ^ , to Bob. If Alice 
discards measurement results x 2 j without telling Bob 
what the result is, then the yield of the resulting EDP 
is worse than Eq. ©. Consequently, there seems to be 
no correspondence between the EDP and our proposed 
classical processing. 

V. CONCLUSION 

We proposed an information reconciliation protocol 
that uses two-way classical communication. For the 
BB84 and six-state protocols, the key rates of QKD pro- 
tocols that uses our information reconciliation protocol 
are higher than previously known protocols for a wide 
range of error rates. Furthermore, we showed the rela- 
tion between the proposed protocol and the B-step of 
[HI (Remark 2]). We clarified why the key rate of our 
protocol is higher than those of [13, H3, H3| (Remark [5} , 
and found that there does not seem to be any EDP that 



corresponds to our proposed QKD protocol. 
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APPENDIX A: NOTATIONS 

These appendices are suplementary materials, in which 
we prove Theorem 2, Theorem 3, and the fact that the 
key rate formula evaluated for a Bell-diagonal state is 
the worst case. The pro of of Theorem 2 is based on the 
proof method of fl2l. Il3l [l4j , especially [3] . In Section 
|A1 we review notations and fundamental results that are 
used in subsequent sections. Notations in this paper is 
almost the same as those in Q3]. In Section E we review 
notions of the (smooth) min-entropy, the (smooth) max- 
cntropy, and the privacy amplification. Furthermore, we 
additionally show some lemmas, which are used to prove 
Theorem 2 in Section |Dj In Section [Cl we review the 
property of symmetric states and the de Finetti style 
representation theorem 0, H3| • We prove Theorem 2 in 
Section [D] Section [E] presents a proof of Theorem 3. We 
show the fact that the key rate formula evaluated for a 
Bell-diagonal state is the worst case in Section IF] 

1. Fundamentals 

For a finite set X, let V{X) be the set of non- negative 
functions P on X, i.e., P(x) > for all x € X, If 
P € V(X) is normalized, i.e., J2xex P( x ) = 1> then 
P is a probability distribution on X. Unless stated as 
a probability distribution, P e 'P(X) is not necessarily 
normalized. 

For a finite-dimensional Hilbert space TL, let V{TL) be 
the set of non-negative operator p on TL. If p S V(TL) 
is normalized, i.e., Trp = 1, then p is called a density 
operator. Mathematically, a state of a quantum mechan- 
ical system with ci-degree of freedom is represented by a 
density operator on TL with dimTL = d. Unless stated 
as a density operator or a state, p € V(H) is not neces- 
sarily normalized. For Hilbert spaces TIa and TIb, the 
set of non- negative operators V(Ha ®Wb) on the tensor 
product space TIa ® TIb is defined in a similar manner. 

The classical random variables can be regarded as a 
special case of the quantum states. For a random variable 
X with a distribution P x eV(X), let 

Px :=Y, p x{x)\x){x\, 
xex 
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where {|a;)} a:e A' is an orthonormal basis of Hx- We call 
Px the operator representation of the classical distribu- 
tion Px- 

When a quantum system Ti. A is prepared in a state p x A 
according to a realization x of a random variable X with 
a probability distribution Px , it is convenient to denote 
it by a density operator 

Pxa ■= Y,Px{x)\x){x\®p x A &V{H x ®H A ), (Al) 

x£X 

where {|x)}a;e;t is an orthonormal basis of 7i x . We call 
the density operator pxA a {cg}-state [37j, or we say 
Pxa is classical on "Hx- We call p x A a conditional opera- 
tor. When a quantum system Ti A is prepared in a state 
p x A according to a joint random variable (X, Y) with a 
probability distribution Pxy, a state pxya is defined in 
a similar manner, and the state pxya is called a {ccq}- 
state. 

In quantum mechanics, the most general state evolu- 
tion of a quantum mechanical system is described by a 
completely positive (CP) map. It can be shown that any 
CP map £ can be written as 

£{ P ) = J2 E «PK (A2) 

aeA 

for a family of linear operators {E a } aeA from the ini- 
tial system H to the destination system Ti' . We usu- 
ally require the map to be trace preserving (TP), i.e., 
J2aeA ElE a = id-H, but if a state evolution involves a 
measurement, then the corresponding CP map is not nec- 
essarily trace preserving, i.e., ^2 aeA E*E a < idu- 

2. Distance and fidelity 

In this paper, we use two kind of distances. One is the 
variational distance of V(X). For non-negative functions 
P, P' G V(X), the variational distance between P and P' 
is defined by 

\\P-P'\\ :=Y,\P{x)-P'{x)\- 

x£X 

The other distance used in this paper is the trace distance 
oiV(7i). For nen-negative operators p, a G "P(7i), the 
trace distance between p and a is defined by 

||p -ct|| := Tr|p — ct|, 

where \A\ :— V 'A* A for a operator on TL, and A* is the 
adjoint operator of A. The following lemma states that 
the trace distance between (not necessarily normalized 
operators) does not increase by applying a CP map, and 
it is used several times in this paper. 

Lemma 6 [14, Lemma A.2.1] Let p, p' G V(H) and let 
£ be a trace- non-increasing CP map, i.e., £ satisfies 
Tr£(a) < Tra for any a eV{H). Then we have 

\\£(p)-£(p')\\<\\p-p'\\. 



The following lemma states that, for a {cgj-state pxs, 
if two classical messages v and v are computed from x 
and they are equal with high probability, then the {ccq} 
state pxvB and Pxvb that involve computed classical 
messages v and v are close with respect to the trace dis- 
tance. 

Lemma 7 Let 

Pxb := Yl Px{x)\x){x\® p x B 

be a {cg}-state, and let V := f(X) for a function / and 
V := g{X) for a function g. Assume that 

Pr{V^V}= J2 p x(x)<e. 

Then, for {ccg}-states 

Pxvb '■= J2Px(x)\x)(x\®\f(x))(f(x)\®p x B 

x£X 

and 

Pxvb ■= P X (x)\x)(x\ <E> \g(x))(g(x)\ ® p|, 

x£X 

we have 

Wpxvb - PxvbW < 2e - 
Proof. We have 

Wpxvb - PxvbW 
xex 

■\\\f(x)){f(x)\-\g(x)){g(x)\\\-\\p%\\ 

xex 
< 2e, 

where d a .t = 1 if a = 6 and 5 a ,b — ii a ^ b. □ 

The fidelity between two (not necessarily normalized) 
operators p, a G V(H) is defined by 

F(p, a) := Tr^/ ^fpa^fp. 

The following lemma is an extension of Uhlmann's theo- 
rem to non-normalized operators p and a. 

Lemma 8 [14, Theorem A.1.2] Let p, a G "P(H), and let 
G H.r ®Hbea purification of p. Then 

F(p,a) = mzxF(\i;)(i)\,\cP)(<f>\), 
m{<t>\ 

where the maximum is taken over all purifications \<j>) G 
H R ® H of a. 
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The trace distance and the fidelity have close relation- 
ship. If the trace distance between two density operators 
p and a is close to 0, then the fidelity between p and a 
is close to 1, and vise versa. 

Lemma 9 0, Lemma A. 2.4] Let p,a £ V(H). Then, 
we have 



\P 



- a|| < y/(Tip + Tra) 2 - W[p, a) 2 



Lemma 10 [1J, Lemma A.2.6] Let p,a £ V(H). Then, 
we have 

Trp + Tia-2F(p,a) < \\p-a\\. 



3. Entropy 

For a random variable X on X with a probability dis- 
tribution Px € P(A'), the entropy of X is defined by 

H(X)=H(P X ) :=-J2 Px(x)logP x (x), 
xex 

where the base of log is 2. Especially for a real number 
< p < 1, the binary entropy function is defined by 

Hp) ■= -piogp- (l -p)log(i -p). 

Similarly, for a joint random variables X and Y with a 
joint probability distribution Pxy e?(<^x J), the joint 
entropy of X and Y is 

ff(XF) = H(P XY ) 

■= - X! p -xr(>, y) log Pxr^y)- 

The conditional entropy of X given Y is defined by 

H{X\Y) := H(XY) - H(Y). 

For a quantum state p £ V(H), the von Neumann en- 
tropy of the system is defined by 

H(p) :=Trp\ogp. 

For a quantum state pab € V(Ha ®Wb) of the com- 
posite system, the von Neumann entropy of the compos- 
ite system is H(pab)- The conditional von Neaumann 
entropy of the system A given the system B is defined by 

H p (A\B) :=H(pab)-H( Pb ), 

where ps = Tr a[pab] is the partial trace of pab over the 
system A. 

Remark 11 In this paper, we denote pa for Ttb[pab] 
or ps for Tr ac [pabc] e.t.c. without declaring them if 
they are obvious from the context. 



4. Method of type 

In this section, we review the method of type that are 
used in this paper (see [111, Chapter 11] for more detail). 

For a sequence x = (xi, . . . , x n ) £ X n , the type of x is 
the empirical probability distribution P x £ V{X) defined 
by 



P x («) 



\{i | x. t = a}\ 



for a € X, 



where \A\ is the cardinality of a set A. Let 

V n (X) := {P x | x e X n } 
be the set of all types on X n . It is easy to confirm that 

\V n (X)\ ^(n + l)^!- 1 ). 

For Q e P„M, 

7£(*) := {xer|F x = Q} 

is the set of all sequences of type Q. 

The probability that sequences in the set Tq occur can 
be expressed in terms of the divergence. 

Lemma 12 [3l|, Theorem 11.1.4] For any probability 
distribution P £ V(X) and for any type Q S V n (X), 
we have 

(n + l)Vl-i) eM-nD(Q\\P)} < P«(T Q «) 

< exp{-nP(Q||P)}, 

where P n (T") := £ xeT „ p "( x )> the base 01 ex P{} is 2 > 
and P(<2||P) is the divergence defined by 

Q(x) 



D(Q\\P) := ^Q(z)log 



ISA" 



P(x)' 



In the subsequent sections, we especially use the fol- 
lowing inequality: 



Q n (T$(X)) 



> 



1 



( n + l)(l*l-i) 



(A3) 



for any Q £ V n (X), which follows from the fact that 
D(Q\\Q) = 0. 

Lemma 13 [HI, Lemma 11.6.1] For any probability dis- 
tributions P, P' £ 'P(X), we have 



D{P\\P') > 



1 



2 In 2' 



IP-P' 



The following corollary states that sequences whose types 
are not close to P rarely occur as n increases. 

Corollary 14 For any probability distribution P £ 
V(X) and a set B e {P) := {x £ X n | ||P X - P|| < e}, 
we have 

£ P»(x)<(„+l)(l*M)™p{-^}. 
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APPENDIX B: PRIVACY AMPLIFICATION 

In this section, we review the privacy amplification. 
First, we review notions of the (smooth) min-entropy and 
the (smooth) max-entropy. The (smooth) min-entropy 
and the (smooth) max-entropy are useful tool to prove 
the security of QKD protocol [H, 0, El]. Especially, 
(smooth) min-entropy is much more important, because 
it is related to the length of the securely distillable key 
by the privacy amplification. The privacy amplification 
[2( is a technique to distill a secret key from partially 
secret data, on which an adversary might have some in- 
formation. Later, the privacy amplification was extended 
to the case that an adversary have information encoded 
into a state of a quantum system [lj, 13^, [H, [39| ) . Most 
of the following results can be found in [lj, Sections 3 and 
5] , but lemmas without citations are additionally proved 
inthis paper. We need Lemma [22l to apply the results in 
[H[ to our proposed two-way QKD protocol (QKD pro- 
tocol with our proposed IR protocol). More specifically, 
Eq. (3.22) in 0, Theorem 3.2.12] plays an important 
role to show a statement similar as Corollary [23] in the 
case of one-way QKD protocol (QKD protocol with one- 
waylR protocol). However, the condition of Eq. (3.22) 
in [lj, Theorem 3.2.12] is too restricted, and cannot be 
applied to our protocol. Thus, we showed Corollary |2"31 
via Lemma Lemmas Q1J] and [5T] are needed to prove 
Lemma [HJ Lemmas |2"5H2"51 are implicitly used in [l4| 
without proof, which are also used in our proof in Sec- 
tion [Ql 

1. Min- and Max- Entropy 

The (smooth) min-entropy and (smooth) max-entropy 
are formally defined as follows. 

Definition 15 0, Definition 3.1.1] Let p A B £ V(H A ® 
Hb) and ob £ V(Hb)- The min-entropy of pab relative 
to erg is defined by 

H mm {pAB\vB) ■= - log A, 

where A is the minimum real number such that A • id^ <B> 
Ufl- pab > 0, where id,4 is the identity operator on Ha- 
When the condition supp(ps) C supp(crs) does not hold, 
there is no A satisfying the condition A-id,4®crB — pab > 
0, thus we define H min (pAB\o'B) '■= — oo. 

The max-entropy of pab relative to as is defined by 

H max (pAB\&B) ■= logTr ((id^ ® ub)p A b) i 

where p AB denotes the projector onto the support of pab- 
The min-entropy and the max-entropy of pab given 
Hb are defined by 

H mm (pAB\B) := supi/ min (p j4B |(T B ) 
H max (pAB\B) := sup H max (p A B\o-B), 



where the supremum ranges over all ob £ ~P{Hb) with 

TttTB = 1. 

When Hb is the trivial space C, the min-entropy and 
the max-entropy of pa is 

-ffmin(PA) = -l0gA max (/u) 

H max (pA) = logrank(p j4 ), 

where A max (-) denotes the maximum eigenvalue of the 
argument. 

Definition 16 [3 Definitions 3.2.1 and 3.2.2] Let 

Pab e V(Ha ® Hb), ob e V(Hb), and e > 0. The 
e-smooth min-entropy and the e-smooth max-entropy of 
Pab relative to ob are defined by 

H Liu{PABW B ) ■= SUpH min (p AB \(TB) 

Pab 

H^Apab^b) ■■= mf H ma , x (p AB \a B ), 

Pab 

where the supremum and infimum ranges over the set 
B e (pab) of all operators p AB e V(Ha <S> Hb) such that 
\\~Pab ~ Pas || < {Ttpab)s. 

The conditional e-smooth min-entropy and the e- 
smooth max-entropy of pab given Tl B are defined by 

H Lin(pAB\B) := sup H^ in (p A B\a B ) 

ctb 

h ^Apab\B) := sup H^(p AB \a B ), 

<JB 

where the supremum ranges over all a B 6 V^H.b) with 
Tro-fl = 1. 

The following lemma is a kind of chain rule for the 
smooth Min-entropy. 

Lemma 17 [3, Theorem 3.2.12] For a tripartite opera- 
tor pabc £ V{T-La <8> T~Ib <8 He), we have 

H^ in (pABc\C) < H^ m (p ABC \BC) + H max ( PB ). (Bl) 

The following lemma states that removing the classical 
system only decreases the Min-entropy. 

Lemma 18 [3, Lemma 3.1.9] (monotonicity of min- 
entropy) Let pxbc £ V(Hx <S> Hb <8> He) be classical 
on Hx, and let oc £ V(Hc)- Then, we have 

H m i n (pxBcWc) > H m i n (pBcWc)- 

In order to extend Lemma fTBl to the smooth min-entropy, 
we need Lemmas [T!J] and [5TJ 

Lemma 19 Let pab £ V{Ha ®Hb) be a density oper- 
ator. For e > 0, let ps £ ^ € {pb)- Then, there exists 
a operator pab £ B e {pAB) such that Tr^p^s] = Pb, 
where e := voe. 
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Proof. Since ps G B s (ps), we have 

\\pb\\ > \\pb\\ - \\pb - Pb || > 1 -£. 
Then, from Lemma [TUJ we have 

F(Pb,Pb) > ^(Trp B +Tr/5 B - ||p B - /5 S ||) 
> 1-e. 

Let |^) G TLr®TLa®TLb be a purification of pab. Then, 
from Theorem [SJ there exists a purification |$) G ® 
Ha ® Wb of ,5b such that 

F(|*),|$)) = F(p B ,PB)>l-e. 

By noting that Fflvf), |$)) 2 > 1 — 2e, from LemmalU we 
have 

mm-\mn\<^. 

Let pab '■= Ti'fl[|$)($|]. Then, since the trace distance 
does not increase by the partial trace, we have 

1 1 Pab - Pab 1 1 < %/8e- 

□ 

Remark 20 In Lemma \T§[ if the density operator pab 
is classical with respect to both systems Ha <8> TLb, then 
we can easily replace e by e. Then, e in Lemma [5TJ |2"21 
and Corollary [23] can also be replaced by e. 

Lemma 21 Let Pxb & V{TLx ®T~Lb) be a density oper- 
ator that is classical on TLx- For e > 0, let ps £ B £ (ps)- 
Then, there exists a operator pxB G B £ (pxb) such that 
Trx [pxs] = Pb and Pxb is classical on Wx, where 
e:= Vie. 

Proof. From Lemma I19[ there exists a operator p^s G 
B £ (pxb) such that Trjsc [pxs] = Pb- Let £x be a projec- 
tion measurement CP map on Tlx, i-c, 

£r(p) == \ X )( X \P\ X )( X 1 

where {Ja;)}^^ is an orthonormal basis of TLx- Let 
Pxb '■= {£x ® ' 1 &b){p'xb)- Then, since the trace distance 
does not increase by the CP map, and (£x® ids ){pxb) = 
Pxb, we have 

Wpxb - Pxb\\ 
= \\{£ x ® ids)(Pxs) - (£x ® id fl )(pxB)|| 

< IIp'xb - Pxb\\ 

< e. 

Furthermore, we have Trx [pxb] = ^x[p'xb\ = Pb, and 
px b is classical on Tlx ■ □ 

The following lemma states that the monotonicity of 
the min-entropy (Lemma I18|) can be extended to the 
smooth min-entropy by adjusting the smoothness e. 



Lemma 22 Let pxbc G V{TLx ®TLb®TLc) be a density 
operator that is classical on TLx- Then, for any e > 0, 
we have 

Hi in (p XB c\C) > H^{ PBC \C), 
where e := V8e- 
Proof. We will prove that 

H^ in (p X BcWc) > H £ lin (p B cWc) 

holds for any ac G ViTLc) with Tiac = 1- From the 
definition of the smooth min-entropy, for any v > 0, there 
exists pbc G B s (pbc) such that 

#min(PBckc) > #min (PBC I &c) ~ V. (B2) 

From Lemma [5TJ there exists a operator pxbc G 
B e {pxBc) such that Tr x [pxbc] = Pbc, and pxsc is 
classical on 7ix- Then, from Lemma IT51 we have 

H m i n (pxBc\°~c) > H m ia{pBcWc)- (B3) 

Furthermore, from the definition of smooth min-entropy, 
we have 

Hmin(PXBcWc) > H min (p X BcWc)- (B4) 

Since i/ > is arbitrary, combining Eqs. (|B2|) (|B4|1 . we 
have the assertion of the lemma. □ 

Combining Eq. (|B1[) of Lemma [T7] and Lemma [HI we 
have the following corollary, which states that the con- 
dition decreases the smooth min-entropy by at most the 
amount of the max-entropy of the condition, and plays 
an important role to prove security of QKD protocols. 

Corollary 23 Let p X BC G V{TL X ®TL B ®TL C ) be a den- 
sity operator that is classical on TLx- Then, for any e > 0, 
we have 

Hmin(PXBc\XC) > H^ in (p B c\C) - H max (p X ), 

where e := \[%e. 

The following lemmas are also used in Section [TJJ 

Lemma 24 0, Theorem 3.2.12] The following inequal- 
ities hold: 

• Strong sub-additivity: 

H^ u ( P abc\BC) < H^ n (p AB \B) (B5) 

for pabc G V{TL A ®H b ® He). 

• Conditioning on classical information: 

Hl iu {p ABZ \BZ) > mmH^ n (p AB \B) (B6) 

for pabz £ V i (TLa®TLb®TLz) normalized and clas- 
sical on TLz, and for conditional operators p AB G 
V(TL A ® TL B ) and p% G V{TL B ). 
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In order to prove that removing the (not necessarily 
classical) system increases the min-entropy at most the 
max entropy of the removed system (Lemmal26|). we need 
the following lemma. 

Lemma 25 Let pab G V{Ha ® Hb) be a density oper- 
ator, and let ta '■= rank(p y i). Then, we have 

r^idA ® Pb ~ Pab > 0, 
where id^ is the identity operator on Ha ■ 
Proof. First, we prove the assertion for pure state pab — 

mm. Let 



(B7) 



be a Schmidt decomposition of 1^). Let { 1 0*) }^=i and 
{\4>i)}i=i be orthonormal bases of Ha and Hb that are 
extensions of vectors in Eq. (|B7[) . For any vector |$) £ 
Ha we can write 

d B 

m =£&i&>®m>, 

i=l 

where {\<fii)}f= i is normalized but not necessarily orthog- 
onal. Then, we have 



($\ P ABm = mm\ 2 



< 



^2 \/<xiPi(<t>i\w 
i=l 



and 



{<&\{r A id A ® p B )\&) = r A \\^VuiPi\4>i)®\^i)f 



r A 



Using the Cauchy-Schwartz inequality for two vectors 
(!,...,!) and (^/o£\0t\, . . ., Ja^\P TA \), we have 



{®\ P ab\$) < 



< 



»=i 

($\{r A idA® Pb)\$). 



Thus, the assertion holds for a pure state pab = |*)(^ r |- 
For a mixed state pab, let pab = Y^JiLi Pi\^i){^i\ be an 
eigenvalue decomposition. Let p B = Ti A \^ Not- 
ing that rank(TrB|*i)(*i|) < rank(Tr B p y is) = r A for all 
1 < i < to, we have 



VA 



id A ®PB~ PAB = J2P*( r A [d A O p B ~ |*i>(*» |) > 0. 



□ 



Lemma 26 Let pabc G V(TLa ®Hb ® He) and crc € 
V{H C ). Then 

-ffmin(pABc|cc) > -ffmin(P_Bc|cc) ~ ^max(px)> 

Proof. Let A is such that -ff m in(/9BC'|c r c) = — log A, i.e., 
A is the minimum number satisfying 

Aids <8> ac ~ Psc > 0. 

Let := rank(p J 4). Then, we want to show that 

ffmin (pABC \ <?c) > -logA-logr^ = -logr^A, 

i.e., rA^idAB ® cc — Pabc > 0. From Lemma [231 we 
have 

r^AidAs ® ctc - Pasc 
> r^AidAB <8> cr c - r^id^ psc 
= r^idA <8 (Aid B er c - Psc) > 0. 

□ 

The following lemma states that Lemma [26] can be 
extended to the smooth Min-entropy by adjusting the 
smoothness e. 

Lemma 27 Let e > and p A sc G 7>(Ki ®H b ® H c ) 
be a density operator. Then, we have 

#min (PABC | C) > H^ in (p B c\C) - fogdim^A, 

where e := y/8e. 

Proof. We will prove that 

HmmiftABcWc) > HfLmipBcWc) ~ log dim H A 

holds for any ac G V(Hc) with Trerc = 1. For any 
z/ > 0, there exists psc G B e {pBc) such that 



#min (ABC 1 0"C) > i?min(PBC'|c r c) - f. 



(B8) 



From Lemma I19[ there exists a operator pabc G 
B € {pabc) such that Tr a [pabc] = Psc- Then from 
Lemma [2"6l we have 

-ffminlPASclCTc) > #min (PBC I ) ~ logdimW A . (B9) 

Furthermore, from the definition of the smooth-min- 
entropy, we have 



HLin{PABc\°~c) > H min (p A Bc\o-c)- 



(B10) 



Since v > is arbitrary, combining Eqs. (|B8 |) — (|B10|) . we 
have the assertion of the lemma. □ 
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Lemma 28 For density operators pab, Pab € V(TLa ® 
TLb) such that \\pab — PabW — £ '' we have 

H e min (pAB\B) < H^' (pab\B) 

Proof. For all pab G K £ (pab), by the triangle inequality, 
we have 

\\Pab - PabW < Wpab - PabW + Wpab - PabW <e + e' . 
Thus, we have pab G B £+£ (~Pab), an d 

H^ in {pAB\o- B ) < H^' (pabWb) 

for all ob G V{TLb)- Then we have the assertion of the 
lemma. □ 



2. Privacy amplification 

The following definition is used to state the security of 
the distilled key by the privacy amplification. 

Definition 29 [14, Definition 5.2.1] Let p A B G V{U A ® 
TLb)- Then the trace distance from the uniform of pab 
given B is defined by 

d(p AB \B) := \\pab - Pa™ ® Pb\\, 

where p™ IX :— din l nA id a is the fully mixed state on Ha 
and p B := Tt a [pab}- 

Definition 30 [40] Let T be a family of hash functions 
from X to i?, and let Pp be the uniform probability dis- 
tribution on T. The family T is called two-universal if 
Pr{/(a;) = f{x')} < t^t for any distinct x,x' G X. 

Consider an operator pxb & ViTLx ®TLb) that is clas- 
sical with respect to an orthonormal basis {Ix)}^^ of 
Tlx, and assume that / is a function from X to Z. The 
operator describing the classical function output together 
with the quantum system TLb is then given by 

PfWB ■= \ z )^\®Pb for p z B := />B'( BU ) 

z£Z xef- 1 (z) 

where {|z)} z e,z is an orthonormal basis of TLz- 

Assume now that the function / is randomly chosen 
from a family J- of function according to the uniform 
probability distribution Pp. Then the output f(x), the 
state of the quantum system, and the choice of the func- 
tion / is described by the operator 

Pf(x)bf ■= J2 Mf)pf(x)B ® I/) (/I (B12) 

on TLz ®TLb ®TLf, where TLf is a. Hilbert space with 
orthonormal basis {\f)}fep- The system TLz describes 



the distilled key, and the system TLb and TLf describe 
the information which an adversary Eve can access. The 
following lemma states that the length of securely distil- 
lable key is given by the conditional smooth min-entropy 
H^{p XB \B). 

Lemma 31 0, Corollary 5.6.1] Let p X B G T>{TLx®TL B ) 
be a density operator which is classical with respect to 
an orthonormal basis {|a;)} a ;gA' of Tlx- Let J 7 be a two- 
universal family of hash functions from X to {0, 1} , and 
let e > 0. Then we have 

d{pp ( x )B F\BF) < 2e + 2-^»,„(p* B |B)^) 
for p F (x)BF G T (TLz® TLb® Tip) defined by Eq. (|BT2| . 

APPENDIX C: SYMMETRIC STATES 

In this section, we review the property of symmetric 
states and the de Finetti style representation theorem 
[II EH. For more detail, refer to 0, Section 4]. 

Let TL be a Hilbert space and let S n be the set of 
permutations on {1, . . . , n}. For any ir G <S>„, we denote 
by the same letter tt the unitary operation on Tl® n which 
permutes the n subsystems, that is, 

tt(|0i) <g> • • • ® |0„)) := |0,r-i(i)) <8 ■ • • <8> |07r-i(n)>> 
for any \6 X ), . . . , |0„) € TL- 

Definition 32 0, Definition 4.1.1] The symmetric sub- 
space Sym(7i® n ) of 7i® n is the subspace of TL® n spanned 
by all vectors which are invariant under permutations of 
the subsystems, that is, 

Sym(W® n ) := G TL® n | tt|*) = ]*), Vtt G S n }. 

Definition 33 0, Definition 4.1.4] Let |0) G TL be fixed, 
and let < m < n. We denote by V{TL® n , |6»)® m ) the set 
of vectors \^>) G TL® n which, after some reordering of the 
subsystems, are of the form \Q)® m ® |vT/), that is, 

V{TL® n ,\6)® m ) 
:= {ir{\6)® m ® |*)) | tt G S n , |#) G Tl® n ~ m }. 

The symmetric subspace Sym(H® n , \6)® m ) of Tl® n along 
\0)® m is 

Sym(W®", \6)® m ) := Sym(ft® n ) n span V(W® n , |6>)® m ). 

If to -C ra, then we can consider that a state \^>) G 
Sym(W®", l^) 18 "™) is almost the same as the product state 
\8)® n . 

The following lemma states that a permutation invari- 
ant mixed states have a purification in the symmetric 
space of a extended systems. 

Lemma 34 0, Lemma 4.2.2] Let p n G V{TL® n ) be 
permutation-invariant. Then, there exists a purification 
|*) G Sym((W ® 7i)® n ) of p n . 
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The following lemma states that a pure state on a sym- 
metric space can be approximated by a convex combina- 
tion of pure states that are close to a product state. 

Lemma 35 [3, Theorem 4.3.2] Let p n +k be a pure state 
density operator on Sym(7i® n+fc ) and let < r < n. 
Then, there exists a measure v on Si(H) := {\6) £ 

I ll|0)ll = 1} an d a pure density operator pif ^ on 
Sym(H® n , \6}® n - r ) for each \8) € Si(H) such that 



APPENDIX D: PROOF OF THEOREM 2 

In this section, we prove Theorem 2. In Section FD 1| 
we first prove the security agaist known adversary. In 
Section [D 21 we analyze the parameter estimation proto- 
col. Then, using results in Sections lD ll andl D 21 we prove 
Theorem 2. 



1. Security against known adversary 



Tr fe (p 



'n+kj 



Si(H) 

where the base of In is e. 



p!?M|0» 



The following lemma states that the smooth min- 
entropy of a density operator that is derived from a pure 
state on Sym(7i®", \0)^ n ~ m ) can be approximated from 
below by the von Neumann entropy of a density operator 
that is derived from a product state \9)® n . 

Lemma 36 [3 Theorem 4.4.1] Let < r < \n, \6) e 

U, and |*) e Sym(H®", |6>)®"- r ) be normalized, and let 
£ be a trace-preserving CP map from 7i to Tix ®Hb 
that is classical on Tix, i.e., £{p) is a {cgj-state for any 
p e V(H). Dehne Px *b» := £® n (|tf)<¥|) and a XB := 
£{\9){9\). Then, for any e > 0, 



1 W 



,{ P x^BAB n ) > H{a XB ) - H{o B ) - 6, 



where S = (f P max (a x ) + 4)^J 2 -^M Th^M- 



Lemma 37 0, Theorem 4.5.2] Let < r < \n, \6) E 
H, and I*) £ Sym(H®«, \9)® n ~ r ) be normalized. Let 
M = {M z }zez be a POVM on H, and let P z be a prob- 
ability distribution of the outcomes of the measurement 
M applied to \0){9\. Then we have 

Pr[||P z -Pz|| >a] <e 



for 



n n 2 



1) 



where the probability is taken over the outcomes z = 
(zi,...,z n ) of the product measurement M® n applied 
to |*)(*|. 



In this section, we analyze a situation after the param- 
eter estimation of the QKD protocols, i.e., we assume the 
following situation. Alice and Bob have 2n-bit binary se- 
quences (x, y) e W 2 / 1 x Fj™ that is distributed according 
to a probability distribution Pxy, and Eve can access 
the quantum system He whose state p^ y is correlated 
to (x, y). This situation can be described by a {ccq}- 
statc 



PX.YE 



E 

(x,y) 



PxY(x,y)|x,y)(x,y| 



In the following, we follow the notations of Section 2 
even though the distribution Pxy is not necessarily the 
product distribution Pj^y. 

In order to agree on a secure key pair (Sa, Sb), Alice 
and Bob perform the procedure as in Section 3. Then, 
the situation after the IR protocol and the privacy am- 
plification can be described by a {ccg}-state 



PSaSbCE 

E 

(sa,sb) 



Ps a s b ( s a, s b )\sa, sb){sa, sb\ 



where the classical system C describes the exchanged 
messages (Ti, T2, Wi) in the IR protocol and the choice 
F of the hash function in the PA protocol. As in Section 
3, the distilled key pair {Sa, Sb) is said to be e-secure if 



-j\\PS A S B E' 



pTaS b ®Pe-\\ <e, 



(Dl) 



where p's^Sb := Z~2 s es ]3jl s ' s )( s ' s l ^ s * ne uniformly dis- 
tributed key on S. The above security definition for the 
key distillation protocol can be subdivided into two parts 
(see also 0, Remark 6.1.3]): 



• The distilled key pair (Sa,Sb) is e c -correct if 
Ps A s B ( s A, sb) < £c- 



E 

SA=j£s£ 



The distilled key Sa is e s -sccrct if \d(ps A E'\E') < 



Lemma [37] states that if the product measurement M® n 
is applied to then the probability such that type 

P z of the outcomes deviates from the distribution Pz is 
small. 



In particular, if the distilled key (sa, sb) is £ c -correct and 
e s -secret, then it is (e c + e s )-secure. 

The following theorem gives the relation between the 
security and the length of distilled key. 
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Theorem 38 Assume that Alice and Bob's bit sequence 
after the IR protocol are identical to u with probability 
at least 1 — sj, i.e., 

F XY ({(x,y) :u = u = u}) > l-e x . (D2) 

For a given number i?, Rq > 0, assume that the rate 
of linear codes that are used in the IR protocol satisfy 
S < R and ^ < R for all n Q < n < n . Further- 
more assume that the length £ of the distilled key by the 
privacy amplification satisfies 

I < ma,x[H^ in (p VWlE \'WiE) -nR- n R , 

^(puWiU^lWiUi^) - n Ro] - log(l/8e|p3) 

where puWiF and puWiUiB are derived from pxye by 
using the functions £i and £2 in the same way as in Sec- 
tion 2. Then the distilled key pair (Sa, Sb) is (e + 3ei)- 
secure, where e :— § \/8e- 

Proof. First, we will prove that the dummy key S :— 
/(U) is e-secret under the condition that Eve can access 
(Wi,Ti,T 2 ,*;£0, i-e-, 

^\\PSW 1 T 1 T 2 FE - PT* ® PWiT^FeW < £■ (D4) 

The assumption that Alice and Bob's bit sequence are 
identical to u with probability 1 — e\ implies that wi = 
wi and t2 = t2 with probability 1 — e±. Since (u, u), 
(wi,wi), and (t2,t2) can be computed from (x, y), by 
using Lemma [3 we have 

IIPxYUWjTitaFB - PXYUWiTiT 2 FF | < 2£l. 

Since the trace distance does not increase by CP maps, 
we have 

\\Ps a w 1 t 1 t 2 fe ~ Psw 1 t 1 t 2 fe\\ < 2ei. 

Thus the statement that the dummy key 5 is e-secret im- 
plies that the actual key Sa is (e + 2ei)-secret as follows: 

\\PSa~WiTiT 2 FE ~ PS A ® ^WiTiT 2 -F-eII 
- H/ , S A W 1 T 1 t 2 _F£; ~ ASWiT^FeH 

+ 11 ASWiTiTaFF — Ps'* ® PWiTiT 2 Ff| 

+ ® PW lTl T 2 FF " pf* <8> Pw iTi T 2 FfH' 

where the first term is upper bounded by 2ei, the sec- 
ond term is upper bounded by e, and the third term is 
also upper bounded by 2s\ because p™ IX = p™ x . The 
assumption of Eq. (|D2[) also implies that the distilled 
key is ei-correct. Thus the distilled key pair (Sa,Sb) is 
(e + 3ei)-secure. 

In order to prove Eq. (|D4[) . we use Lemma [3TJ which 
gives the relation between the security and the length of 
the distilled key. If the length £ of the distilled key by 
the privacy amplification satisfies 

log(l/8e) + £ < H^ipv^T^ElWxT^E), (D5) 



then the distilled key S is e-secret. By using Corollary 
|2"B1 we can lower bound the r.h.s. of Eq. (|D5|) by 

#min(Puw 1 F|Wi£') - nR - n Ro, 

because the size of messages Ti and T 2 are upper 
bounded by nR and n^Ro respectively. Thus we have 
shown the statement of the theorem for the first argu- 
ment of the maximum in Eq. (|D3|) . 

Since the syndrome Ti is computed from the sequence 
Ux, if the distilled key S is e-secret in the case that Eve 
can access the sequence Ui, then the distilled key S is e- 
secret in the case that Eve can only access the syndrome 
Ti instead of the sequence Ui. Again using Lemma [3X1 
if the length of the distilled key satisfies 

log(l/8e) + £< fl^puwxUxT.BlWiUiTaE), (D6) 

then the distilled key S is e-secret. Again using Corollary 
[23l we can lower bound the r.h.s. of Eq. (|D6|) by 

^minC/OUWiUiFlWiUii?) -n R . 

Thus we have shown the statement of the theorem for 
the second argument of the maximum in Eq. (|D3[) . □ 



2. Fluctuation of the actual error rate 

In this section, we show that the parameter estima- 
tion works with high probability (Lemma 139ft . Then, we 
show that the information reconciliation protocol works 
for symmetric errors if the protocol universally works for 
the i.i.d. errors that are close to the estimated error dis- 
tributions in the parameter estimation protocol (Lemma 
HO). 

For the output Q e Q of the parameter estimation 
protocol, let 

r M (Q) := {(tab S V{H A <8> Kb) I \\P a A AB - Q\\ < p} 

be a set of two-qubit density operators that are com- 
patible with the output Q with a fluctuation n, where 
P^ AB denotes the probability distribution of the out- 
comes when measuring gab by the POVM A4, i.e., 
Pa ab (ci) := Tr[M a (T ab] ■ When p m = erf™ is a product 
state for gab 4- ^(Q), then by the law of large numbers, 
the probability such that the parameter estimation proto- 
col outputs the type Q is negligible. The following lemma 
generalize this statement to permutation-invariant states. 

Lemma 39 [3, Lemma 6.2.2] Let < r < \m. 

Moreover, let \9) € Uabe ■= Ha <8> U B ® 
TIe, and let p^ mBmEm be a density operator on 
Sym(7tf™ B ,|0)^ m -'')- For any e P > 0, if Tr E \9){0\ £ 
r M (Q) for 

M-2J^1M + Mr/TO) + M l0g( - +1) , m 
V m mi 
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then the probability such that the parameter estimation 
protocol outputs Q is at most ep, i.e., £q{p \™ B m ) < ep. 

For the POVM A4 X y, which is used for obtaining the 
raw keys in the QKD protocol, let P x ^f be the probabil- 
ity distribution of the outcomes when measuring gab by 
the POVM Mxy, i.e., P x ^ B (x,y) := \ v M, ;i n U! . For 



3. Security poof 

In order to save space, we abbreviate 2n + m by K. 
In this section, if there are two operators p £ V(H) and 
p £ V(7t), then the former represents the normalized 
density operator of the latter, i.e., p = ^=p- 



log(l/£2) 
2n 



h(r/2n) 



log(n + l) 



(D8) 



let 



Q A (Q) := {P £ V 2n (¥ 2 2 ) I min \\P x f> - P\\ < fl\ 

be a subset of all types on F|. Note that if we measure 
a product state crfl™ of <jab £ r M (Q) by the product 
POVM M x 2 y, then the joint type P xy of the outcomes 
is contained in the set Qp(Q) with high probability. 

Lemma 40 Let p^l n B2nE 2n be a density operator on 

Sym(H% n E ,\0)® 2n ~ r )- Let P^ £ V{¥ 2 2 n x Ff") be a 
probability distribution of the outcomes when measuring 
/ofL B 2n by the POVM M x 2 Y l . Assume that Alice and 
Bob's bit sequence after the IR protocol are identical to 
u with probability at least 1 — e\ for any probability dis- 
tribution P £ Qp(Q), i.e., 



P 2 "({(x,y):u/uoru/u})< £l . 
If Tr £ |0)(0| £ r M (Q), then we have 



(D9) 



P^({(x, y) :u/uori/u})< Le 1 + e 2 , (D10) 



where L := (2n + l) 3 , and e 2 is given in Eq. (|D8 
Proof. For each type P £ V 2n {¥ 2 X F), let 

|{(x,y) :u^uoru^u}nT| n | 



7p 



\n n \ 



be the ratio of pairs of sequences in T B n such that Alice or 
Bob's sequences after the IR protocol are not identical to 

I Q\ 

u. Since the distribution -Pxy * s permutation invariant, 
we can rewrite the l.h.s. of Eq. (|D10j) as 



E 

PeQ A (Q) 



7 pF^(r p 2 ")+ £ 7 ppl^(T P 2 ").(Dll) 

P<tQp.{Q) 



Since r £i E \9){9\ £ T^{Q), by using Lemma [571 the second 
term of Eq. (|D1 1|) is upper bounded by e 2 . 

On the other hand, by using Eq. (|A3[) . we have 



ex > lP P Zn (T 2n ) > 



1p 



{2n + 1)3 



for any P £ Qp,(Q). Thus, the first term of Eq. (|PTT|) is 
upper bounded by (2n + l) 3 ei. □ 



a. Parameter estimation 

We first analyze the situation after the parameter esti- 
mation protocol is executed. More specifically, by using 
Lemmas l35l and l39l we will show Eq. (ID13j) . which states 
that the density operator p^ 2 „ B2 „ £2 „ after the parame- 
ter estimation protocol can be approximated by a convex 
combination of almost product states. 

Since the tripartite state pa^> b n e n lies on the sym- 
metric subspace of U% E := (TCa 8> Ti. B ® H)® N , by 
using Lemma 1351 the density operator p a k b k e k is ap- 
proximated by a convex combination of almost product 
states, i.e., 



\Pa k b k e k 



\8) 

Pak b k e kV{\0))\\ < K, 



Si 



where the integral runs over the set iSi := S\{TLabe) °f 
normalized vectors on Habe, where 

Pakbkek e nSym(n^ E , \e)® K - r )) 
for any \6) £ S±, and where 
2N 



k 



{ln(2//t) + dim(H A ® H B ) • In k}. 



Since the trace distance does not increase by applying a 
CP map, we have 



\o Q 

\P A 2n B 2r lE 2n 



^iV^(|0>)ll<«> (° 12 ) 



Si 



where 



~Q,\6) ,. A 

P A 2^ B 2^ E 2 n '■— \}Q-A 2n B 



2„ ® £q ® id B 2„)(p 



A K B K E 2n 



Let 



V M :={|e>G5i| r ft B |WGr p } 



be the subset of £>i that is compatible with the output Q 
of the parameter estimation protocol with the fluctuation 
/i. From Lemma |3T)I if \0) ^ T^Q), then the probability 
such that the parameter estimation protocol outputs Q 

is at most ep, i.e., H/J^n ^n w- W — £ p- Thus, we can 
restrict the integral in Eq. (|D12|1 to the set V M as 



lf^4 2 "B 2 ".E 2 ™ Pa^B 2 "E 2 » 



< 



\P A 2n B 2n B 2n 



+ 11 / P&V^KIWII^K + ep. 



^ 2 LV E -KI^))II 
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where we set 

~Q>V„ f ~Q,\e) nav , 

and V^j is the complement of in 6>i- By using the 
following Lemma |4T| the normalized version of the oper- 
ators satisfy 

\\p% nB ^ E . n ~ P% B 2 nE 2n II < 2f , (D13) 

where f 

Lemma 41 Let p, a € VifH) be (not necessarily normal- 
ized) operators. Assume that ||p — <r|| < e for e > 0. Let 
p := ij^/O and a := Tj^cr be the normalized operators. 
Then, we have \\p — a\\ < 2e for e := 

Proof. From the assumption, we have ||p— ct|| < £, where 
a := Tj^cr. By using the triangle inequality, we have 

l-e<IH|-||p-&||<IHI<IHI + ||&-p||<l+e. 
Thus, we have 

|k-a|| = |l-|H||< £ - 
Using once again the triangle inequality, we have 
\\p-<r\\ < \\p-&\\ + l|o--cr|| < 2i. 

a 



where P X y" i s the probability distribution of the out- 
comes when measuring p^^, B2n by Mf?y ■ Since 
p'a^'b 2 ™ E 2n ^ s a convex combination of density oper- 
ators p Q J° B2nE 2 n on Sym(H r f B n E ,\9)® 2n - r ) such that 
Tr E [ \9)(6\ ] e r M (Q), by using Lemma EE we have 
Eq. (lrJT4l) . 

c. Privacy amplification 

In this section, we analyze the PA protocol. By apply- 
ing Theorem [351 if the length £(Q) of the distilled key 
satisfies 

l(Q) < 

max^Jpg^^lW!^) - nR(Q)-n R (Q), 

HLn(Pvw 1 u 1 E-\Wi^iE N )^no(Q)MQ)} 
- log(l/8e), (D15) 

then the distilled key is (3\/2l + 3£i + 3e 2 + 6f)-secure, 
where p^j WlEN and puw^^" are derived from p^ YEN 
by using functions £i and £2 in the same way as in Sec- 
tion 2. Let e :— %/24-r. Multiplying the probability 
P PE (Q), the quantities Pp E {Q)3V2i < 6(6(k + £p)) 1/4 
and Ppe(Q)6t = 6(k + £p) goes to as k, £p — * 0. Thus, 
the security of the distilled key, i.e., the l.h.s. of Eq. (2) 
goes to as n, £ P , e\, e 2 — > 0. 

d. Evaluation of key rate 



b. Information reconciliation 

According to Section 2, the IR protocol universally 
works with a negligible error probability for i.i.d. er- 
rors, if we set the parameters R{Q) = H{Pw t ) + 8, 
Ro(Q) = H(P W2lWl=a ) + S, & = P Wl (0) + S, and 
= Pwi (0) +S. In this section, by using Lemma [4171 we 
show that the IR protocol also works with a negligible 
error probability in the QKD protocol, i.e., 

P^ Y ({(x, y) : u ^ u or u ^ u}) < £1 + e 2 + 2f,(D14) 



XY is the probability distribution of the out- 



where P^ 

comes when measuring p A2nB2n by M x 2 y- Note that 
£1 is the error probability of the IR protocol for i.i.d. er- 
rors, which exponentially goes to as n — > 00 if we use 
appropriate linear codes [26|, Corollary 2] . As we will see 
later, £2 also exponentially goes to as n — > 00. 

By using the fact that the trace distance does not in- 
crease by the CP map (measurement by Ai^ 2 ^), the l.h.s. 
of Eq. (|D14[) is upper bounded by 

P%?" ({ (x, y) : u ± u or u + u}) + 2f , 



One more thing we have left is to replace the r.h.s. of 
Eq. (]D15p by smaller but more concise equation. Noting 
that k + ep < £, we can replace the last term log(l/8e) 
by log(l/8( K + £ P )). 

Let := {£fj ®i& E ^){p Q J° B . nE 2nl and let 

E 2 n be the density operator derived from Pxye 2 » 
in the same way as in Section 2. Since p^nganExn lies 
on Sym(W®? Baj3a , \6 2 )® n ~ r ) for \6 2 ) := |(9)® 2 , we can use 
Lemma [36] to obtain 

1 



TT^+ep) ( Q,\B) 



|WiP 



2 n \ 



> H^UxU^WiExEz) - 5', (D16) 



where 



s , :=9l /21og(4/(« + ep )) +/t(r/n)> 



and where vuiU 2 WiEiE 2 is derived from 
ax^Y^E^ := (£fy ® id| 2 )(|^) (^P 2 ) in the 
same way as in Section 2. 

Let PuWiB 2 " he a density operator derived from 
PxYff" := (^xy ® id£2„)(p^ 2 ^ 2 „ E2n ) in the same way 



18 



as in Section 2. Since p^B 2 " * s a convex combination 
of density operators PuWiB 2 ™' ^y using Eqs. ()B5[) and 
(IB6|) in Lemma [24l we have 

^it £p) (^ lE -|Wx^ 2 ") 

^r p) (^u-i w ^ 2n )- (° i7 ) 

Since the trace distance does not increase by a CP 
I 



map, we have 



!l/W^-Puw lS -ll<2r. (D18) 



By using (a) Lemmas [J7] and (b) Eq. (|Dl8|) and 
Lemma [281 (c) k + s p < f, (d) Eqs. ([016]) and l|D17|l . we 

have 



log dim7i£ 



n 



log dim H e 



(d> 2(m 4- yfc") 

> min ^({/iZJalWi^i-Ea) - 5' - — — — logdimHs. 



In a similar manner, we have 



it Wi^v^ 



, 2(m + k) 
o log dim H E ■ 



Finally, setting k := a.\n, m := a 2 n, n := e aa , where 
e P := 2~ aim 1 e 2 := 2~ a '- n , and taking n -> oo and 

ai,a2,a3,a 4 ,a 5 -> 0, we have the assertion of theorem. := 10(^1, Xi))(^(x 1 ,x 1 )| ® |^(x 2 ,x 2 ))(0(a; 2 ,x 2 )| 



APPENDIX E: PROOF OF THEOREM 3 



for x = (xx, x%) and x = (xi, x 2 ). 
Noting that 



This section presents a proof of Theorem 3 in the main 
text. 
Let 

\^abe) := ]T v / ^xz(x,z)|^(x,z))|x,z> 

x,z£F 2 

= E y/Px.(x)\x,x + x)\<l>(x,x)) 

x,x<EF 2 

be a purification of <r AB = Ex,zeF 2 IV^x, z)) (V>(x, z)|, 
where we set 



\<f>(x,x)) 



1 



^x(x) 



^(-irv^(x^)|x,z), 



z£F 2 



and where -Px(x) = J2zew 2 -Pxz(x, z) is a marginal distri- 
bution. Then, let 



&X 1 X 2 Y 1 Y 2 E 1 E 2 

Zf Y ® ia £ 



(£f^idl 2 )(|VMB B )(V^r) 



= E ^x(*)l*,* + *>' 



x, X + x <X> cr 



E x E 2 i 



s,xe¥j 



we have 



P^X^Y^, x + x) = ^-P x (x)> 



-Pc 2 |M/i=o(w 2 ) 
-P(7 2 |M/ 1 = i(m 2 ) = 1 



1 

x l+ x 2 = lL, l 

1 

2 



W 2 |Wi 



=o(w 2 ) 



Px(w 2 ,w 2 ) 



Pw 2 \w 1 =i(0) — 1- 
Using these formulas, we can write 

C[/itWi£i,E 2 = E E P U 1 (ui)Pw 1 {wi) 



Pu 2 \W 1 =w x (u2)\u,Wl)(u,Wi\ ®(J^l 



E 2 
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for u = (tti, U2), where On the other hand, by taking partial trace of 

(j UiU 2 WiE 1 e 2 over the system U\, we have 



-U,Wi \ y tj 1 \ uG,(w-l,w 2 )G 

<J E 1 E 2 '■- W2 \Wi=o{ w 2) CT El E2 



W 2 £¥ 2 



for wi — and a matrix G = [ ^ q ) , and 



1 1 \ , Mi,tuiGF 2 



-U,Wl \ ^ 1 (u 

E1E2 ' / * ^ Ei 
a,b£F 2 



1 _(ui,a)G,(toi,f))G 

il2 



fff/iWiEiBj = E \ P Wt{W\)\u\,Wx){ui,-< 
,toiGF 2 

u 2 eF 2 / 



Thus, we have 



for wi = 1. 

Since supports of rank 1 matrices {ov'*^ iy^F 2 are or- 7JV , , rr/n % . v - ^ 1 n / \ 

Stu 1 E 1 E 2 i^& 2 H(a UlWlEl E 2 ) = l + H(P Wl )+ 

thogonal to each other, cr E ,w E2 for wi — is already eigen «i,ii>i eF 2 

value decomposed. Applying Lemma 22] for J = {00, 10} / 

and C = C 1 - = {00, 11}, we can eigen value decompose u I P, T (n„\^ Ul ' u ^' Wl 

a & ■* l'2|W r i=u>i \ U 2)< J E 1 E 2 

°e\e 2 for = 1 as \u 2 eF 2 

4fi - E ^E^d)WK,o),x,r)) W K,o),x,r)i, = 1 + ff( ' x)+ 5 Fx(W ^ J ' 

6GF 2 ]* eJ 



(E3) 



where we follow the notations in Lemma [4"2l for m = 2. 

Thus, we have Combining Eqs. (|ETj) and (|E3j) . we have 



H{a UlU2WlElE2 ) H a (U 2 \WxU 1 E 1 E 2 ) - P Wl {0)H(P W2 \ Wl=0 ) 

= H(P Ul )+H(P Wl )+ P Wl M{H(Pu 2 m= Wl ) = Px(0)(l-tf(P xz )). 

w 1 ew 2 

+ Y p Ui (ui)Pu 2 \w 1 =w 1 (u2)H(a E '^ 2 )} Lemma 42 Let C be a linear subspace of F™. Let 

aeF| 

= i+H(p % ) + p % (o){i+H(p m=a )} \tp m {x,x))-=L= y {-if^p^m^, 

+ P x (l)H(P m=1 ). (El) V 

Taking the partial trace of &u 1 u 2 w 1 e 1 e 2 over systems and a E ^ :— \ip m (x, x)){(p m (x, x)|. Let J be a set of coset 

Ui,U2, we have representatives of the cosets F™ / C, and 

CTw lBl ij 2 = E P m(«i)ki)(^i| Ecec^ p xz(x,r+c) 

«Ji6F 2 J P||X^=5?(j) := — 5 pm(£) 

be conditional probability distributions on J. Then, for 
any a £ F™ , we have 

Thus, we have 1 - , - - .-^ ^ 

_ E = E P J|x™=x(j)l^x,j)>W5,x,j)UE4) 

Hi^WxE^) = H(P Wl )+ Y Pwiiwi) sec 1 1 



w 1 e¥ 2 



where 



H \ Y P UiPu2\Wi=wiMo- E ^ E2 

,aeF2 / l^(a,x,j)) 



E v /p xi(x ; r+ c)ix,r+ c). 



= H(P K ) + Y P x(0)H(P m ^). (E2) 

x£F 2 

Combining Eqs. (fETj) and (fE2|) . we have eeCJ - 

H^U^W^Ez) - H^PwMHiPw^ Remark 43 If j / i, obviously we have 

- 2 - H (P Xf ) + Px(l){ff(Pj 5j| x =1 ) - 1} (tf(a,x,j5|tf(a,x,i)) = 0. Thus, the right hand side 



2 - 2ff (Pxz) + Px(l)ft 



+ P01P11 \ °f ^Q- (EH is an eigen value decomposition. Moreover, 



(poo +pai)(pw +Pn) J ' if a + 6 e C, then we have |i?(a,x,j)) = |i?(6,x,j)). 
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Proof. For any x £ C and a £ F™ , we can rewrite 
1 



\tp(x + a,x)) = 



P^(x,j + c)|x,j + c) 



feJ 



be the discrete- twirled operator of ctab ■ Note that <jab 
is of the form E x ,zeF 2 Pxz(x, z)|^(x, z))(^(x, z)| 0. Let 



s.t 

r C/iC/ 2 Wi 



Then, we have 



^ e a density operator derived from a purifi- 
cation a s ^2 B 2 E 2 of c^ 2b2 in the same way as o-u 1 u 2 w 1 e 1 e 2 
is derived from a purification a® be of erf^ in Section 

2, where 0^1 B 2 := o^b* <8> o- s ^ B for s = (si,s 2 ) and 
t = (ti,t2). Since a phase flip error does not affect the 
measurement by {|0 Z ), |l 2 )}-basis, and since a bit flip er- 
ror only permutate the indices of measurement results, 
we have 



fee 1 1 



x-\-a,x 



?ec' 1 ijej 

\0(s,z,ty{4(a,s,j)\ 



= E i^r(-l) sf,(i+j Vi , J|x»^(O^J|x«^(D 

fjeJ 1 1 

|0(a,x\i))(tf(a,x,j)| 

= Pj|x™=xO)l^(« I x,]}) (tf(a, x, j)|, 
le J 

where • is the standard inner product on the vector space 
FJg 1 , and we used the following equality. 



for i 7^ j. 



□ 



APPENDIX F: BELL DIAGONAL STATE IS THE 
WORST CASE 

In this section, we show that the evaluation of 
the key rate formula for a Bell diagonal state is the 
worst case. Let <jab be a two-qubit density opera- 
tor such that Bell diagonal entries are {i"xz(x, z)}, i.e., 
(■0(x,z)|cr yls |V>(x,z)) = Pxz(x,z). Let {XZ(x, z)} x , zeF2 
be the Pauli operators on the qubit, let a s jf B :— 
XZ(s,t)^ 2 aAi3XZ(s,t)® 2 , and let 



O AB 



1 \ s.t 
4 2^ °AB 

s,tGF 2 



H a {U 1 U 2 \W 1 E 1 E 2 ) = H a , x {U 1 U 2 \W 1 E 1 E 2 ) 



Let 



\®ABESTS'T') '■ = 



E \\&abe)\*iW) 

s,t(EF 2 



s,t 
ABE I 



7 ABE' 



be a purification of &ab, where \^ S abe) ($ 
Let 

^UiU2W 1 E 1 E 2 sf S'f a density operator derived from 
&abests't> m the same wa Y as < j u 1 u 2 w 1 e 1 e 2 is derived 



from 



ABE- 



Then, by using the strong subadditivity of 



von Neumann entropy, we have 

H a (UiU 2 \W 1 E 1 E 2 SfS'V) 
< H d {U 1 U 2 \W 1 E 1 E 2 SJ) 

= E ■^ H MUiU2\W 1 E 1 E 2 ) 
s,t*eF| 

= H^UxU^WxExEi). 
In the similar manner, we have 

Ha {U 2 \Wi UiE^STS'V) 
< H a {U 2 \WiUiEiE 2 ). 



On the other hand, Pwi an d Pw 2 \Wi=o are invariant un- 
der the discrete twirling operation. Thus, Bell diagonal 
state is the worst case for a fixed Bell diagonal entries 
{Pxz(x,z)}. 
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